Skip to content

Division-by-zero vulnerabilities in the function pi_next_pcrl, pi_next_cprl and pi_next_rpcl in src/lib/openjp3d/pi.c #1123

Closed
@YangY-Xiao

Description

@YangY-Xiao

Function pi_next_pcrl, pi_next_cprl and pi_next_rpcl have the division-by-zero vulnerabilities in src/lib/openjp3d/pi.c.

static bool pi_next_pcrl(opj_pi_iterator_t * pi)
{
    ...
                        if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
                                (trx0 << levelnox) % (1 << rpx)))) {
                            continue;
                        }
                        if ((!(pi->y % (comp->dy << rpy) == 0) || (pi->y == pi->ty0 &&
                                (try0 << levelnoy) % (1 << rpx)))) {
                            continue;
                        }
                        if ((!(pi->z % (comp->dz << rpz) == 0) || (pi->z == pi->tz0 &&
                                (trz0 << levelnoz) % (1 << rpx)))) {
                            continue;
                        }
    ...
}
static bool pi_next_rpcl(opj_pi_iterator_t * pi)
{
    ...
                        if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
                                (trx0 << levelnox) % (1 << rpx)))) {
                            continue;
                        }
                        if ((!(pi->y % (comp->dy << rpy) == 0) || (pi->y == pi->ty0 &&
                                (try0 << levelnoy) % (1 << rpx)))) {
                            continue;
                        }
                        if ((!(pi->z % (comp->dz << rpz) == 0) || (pi->z == pi->tz0 &&
                                (trz0 << levelnoz) % (1 << rpx)))) {
                            continue;
                        }
    ...
}
static bool pi_next_cprl(opj_pi_iterator_t * pi)
{
    ...
                        if ((!(pi->x % (comp->dx << rpx) == 0) || (pi->x == pi->tx0 &&
                                (trx0 << levelnox) % (1 << rpx)))) {
                            continue;
                        }
                        if ((!(pi->y % (comp->dy << rpy) == 0) || (pi->y == pi->ty0 &&
                                (try0 << levelnoy) % (1 << rpx)))) {
                            continue;
                        }
                        if ((!(pi->z % (comp->dz << rpz) == 0) || (pi->z == pi->tz0 &&
                                (trz0 << levelnoz) % (1 << rpx)))) {
                            continue;
                        }
    ...
}

This issue is same with #731, #732, #777, #778, #779, #780.
And the patch should be like the patch for #731 and so on.

d27ccf0: patch for #731

 +                    /* To avoid divisions by zero / undefined behaviour on shift */
 +                    /* in below tests */
 +                    if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
 +                            rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) {
 +                        continue;
 +                    }
 +

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions